Solved

SBS 2003 and Server 2008 shared folder privileges?

Posted on 2010-11-24
7
626 Views
Last Modified: 2012-05-10
Hi All,

We currently have 3 different sites which are interlinked via a VPN.  The main site is running on SBS 2003, and the other 2 are running on server 2008.  All users have access to 3 shared folders through the network, but these are all top level folders.  Meaning that all users can view everything on each shared folder.  Some folders such as the admin folder is set up for a few users and denies access to the rest.

My question is, what is the best practice to set these folders up to make sure that certain users only can view what they require?  Should I set up a separate shared folder for each are? I.e, accounts, sales, quotations etc?  Create user groups and just add the higher privileged users there?  Is it bad the way these folders are currently set up?

Any help would be appreciated.
0
Comment
Question by:choy77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 9

Expert Comment

by:dmessman
ID: 34206244
there are many ways to do this and it's based on your persona preference.  But the extent to which you create different shares should be based on how large you expect the restricted resource to be.

You definitely should create multiple security groups - accounting, admin, sales, etc.  Add members to groups as appropriate.  

For accounting, make a whole new share.  But then if there's one folder within accounting that's super private, you wouldn't make a whole new share.  Just restrict permissions to a group based on that.  For example, if there was a folder that contained salary information that regular accountants and only the CFO and CEO should see, don't make a whole new share - just create a new security group that only contains the CFO and CEO and protect that folder.  

I generally follow that theory - large folder hierarchies get their own share and drive letter.  Tiny folder hierarchies just get restricted by security group.  Medium folder hierarchies - your call.
0
 

Author Comment

by:choy77
ID: 34206718
Ok, that makes sense, thanks for the information.  So, say I create a new security group for users I only want to be able to access the accounts folder, how do I go about denying access to the folder for every other user?  Or even hiding the folder so people cannot view it?  Are you aware of a lot of companies that operate this way with having shared folder like this?  Or is this living dangerously?

Thanks.
0
 

Author Comment

by:choy77
ID: 34206757
On another note, is there a prefix in which new security groups should be given? Or a way in which they should be named?

Thanks
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:choy77
ID: 34206869
And how can I stop users from deleting folders which they have note created, and put certain users in a group who will be able to delete folders/files etc?
0
 

Expert Comment

by:sivra
ID: 34207503
You can go to that top level folder properties, security.  Click the advanced button, edit button, select a user or group, click edit.  Now there is a drop down that probably says "This folder, subfolders, and files".  You can change the Everyone permission here to this folder only.  This allows users and groups to view the subfolders, but you can individually assign permissions to those folders now without an inherited permission from the root folder.  

Remember that the deny permission always overides allow permissions.
0
 
LVL 9

Accepted Solution

by:
dmessman earned 500 total points
ID: 34229936
To stop users from accessing or deleting folders they don't have access to, don't give them access.  You shouldn't really need to set deny permissions.

Let's say you have an accounting folder with subfolders of A, B, and C.  You want all accountants to access A and B, but only a group of accountants called CFO to access C.  

Create a share called accounting.  

For the accounting share, give the accountants group full control to the accounting share and all subfolders (as described above by sivra).

Now, go to folder C.  Edit the security group permissions and remove accountants group.  Add the CFO group.  Apply to that folder and all subfolders.  Now, acocuntants won't be able to access that folder.  There is no deny permission - but no allow permission, so only members of the CFO group will be able to access it.

0
 

Author Closing Comment

by:choy77
ID: 34360731
Thanks for your help
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question